diff --git a/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
index 4f73b26b8..d67130e75 100644
--- a/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
+++ b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
@@ -23,6 +23,8 @@ detection:
             - 'netlogon*.bat'
             - 'UsrLogon.cmd'
             - 'C:\WINDOWS\Explorer.EXE'
+        - CommandLine:
+            - 'PowerShell.exe'
         - Image|endswith:
             - '\explorer.exe'
             - '\proquota.exe'